diff options
author | Ido Yariv <ido@wizery.com> | 2010-09-22 03:53:13 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2010-09-27 15:57:38 -0400 |
commit | 67e0208acea29682f5766eb9f67f6f26117eef3e (patch) | |
tree | 39445bd52a7c310d5f70b94aa0c257fdd1a8669b /drivers/net/wireless/wl12xx | |
parent | 87fd2e6c90acb45a5741207fc953190596f93841 (diff) |
wl1271: Fix overflow in wl1271_boot_upload_nvs
Due to miscalculation of nvs_len, excessive data was sent to the
firmware.
Fix this by first setting nvs_ptr to point to the first NVS table,
and computing the total size of all NVS tables accordingly.
Signed-off-by: Ido Yariv <ido@wizery.com>
Tested-By: Tuomas Katila <ext-tuomas.2.katila@nokia.com>
Acked-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/wl12xx')
-rw-r--r-- | drivers/net/wireless/wl12xx/wl1271_boot.c | 17 |
1 files changed, 6 insertions, 11 deletions
diff --git a/drivers/net/wireless/wl12xx/wl1271_boot.c b/drivers/net/wireless/wl12xx/wl1271_boot.c index fc21db810812..e5a7f042645f 100644 --- a/drivers/net/wireless/wl12xx/wl1271_boot.c +++ b/drivers/net/wireless/wl12xx/wl1271_boot.c | |||
@@ -274,11 +274,11 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl) | |||
274 | 274 | ||
275 | /* | 275 | /* |
276 | * We've reached the first zero length, the first NVS table | 276 | * We've reached the first zero length, the first NVS table |
277 | * is 7 bytes further. | 277 | * is located at an aligned offset which is at least 7 bytes further. |
278 | */ | 278 | */ |
279 | nvs_ptr += 7; | 279 | nvs_ptr = (u8 *)wl->nvs->nvs + |
280 | ALIGN(nvs_ptr - (u8 *)wl->nvs->nvs + 7, 4); | ||
280 | nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs; | 281 | nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs; |
281 | nvs_len = ALIGN(nvs_len, 4); | ||
282 | 282 | ||
283 | /* FIXME: The driver sets the partition here, but this is not needed, | 283 | /* FIXME: The driver sets the partition here, but this is not needed, |
284 | since it sets to the same one as currently in use */ | 284 | since it sets to the same one as currently in use */ |
@@ -286,14 +286,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl) | |||
286 | wl1271_set_partition(wl, &part_table[PART_WORK]); | 286 | wl1271_set_partition(wl, &part_table[PART_WORK]); |
287 | 287 | ||
288 | /* Copy the NVS tables to a new block to ensure alignment */ | 288 | /* Copy the NVS tables to a new block to ensure alignment */ |
289 | /* FIXME: We jump 3 more bytes before uploading the NVS. It seems | 289 | nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); |
290 | that our NVS files have three extra zeros here. I'm not sure whether | 290 | if (!nvs_aligned) |
291 | the problem is in our NVS generation or we should really jumpt these | 291 | return -ENOMEM; |
292 | 3 bytes here */ | ||
293 | nvs_ptr += 3; | ||
294 | |||
295 | nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); if | ||
296 | (!nvs_aligned) return -ENOMEM; | ||
297 | 292 | ||
298 | /* And finally we upload the NVS tables */ | 293 | /* And finally we upload the NVS tables */ |
299 | /* FIXME: In wl1271, we upload everything at once. | 294 | /* FIXME: In wl1271, we upload everything at once. |